Recent Enforcement Actions by Regulators Show Continued Focus on Cybersecurity and Data Protection Issues

A pair of recent enforcement actions by the CFTC and New York Attorney General’s Office (“NYAG”) show that both federal and state authorities are pursuing cases against companies believed to have insufficient data security practices, even in the absence of breaches resulting in harm to customers.

First, late last month, the CFTC entered into a settlement with a registered futures commission merchant that allegedly failed to diligently supervise an unnamed “IT Provider.” The IT Provider inadvertently introduced a vulnerability to the merchant’s network, exposing private customer records and sensitive information, including personally identifiable information. An unnamed “Third Party” detected the vulnerability and accessed nearly 100,000 files containing sensitive information. The Third Party eventually contacted the merchant and federal authorities to disclose vulnerability, and deleted the data. It appears that the data was not otherwise improperly accessed.

The settlement order alleged that the merchant’s failure to supervise the IT Provider was a violation of 17 C.F.R. § 160.30, which requires certain regulated entities to “adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.” Although the merchant had adopted these policies—known as information systems security programs or “ISSPs”—the alleged failure was that the merchant did not ensure that the IT Provider followed such policies.

As a result of the settlement, the merchant was required to pay a $100,000 fine to the CFTC, and the merchant represented it was taking steps to protect its network going forward.

Similar to the CFTC action, this was not an action stemming from malicious, unauthorized access that led to harm. Rather, the healthcare provider accidentally disclosed Social Security numbers of over 55,000 New York residents—on the outside of envelopes mailed to those residents. According to the announcement, this violated not only HIPAA obligations to safeguard patients’ information, but also a specific New York law prohibiting printing Social Security numbers on a mailer in a way visible from the outside without having to open the envelope. New York General Business Law § 399-ddd(2)(e). Once again however, the order made no reference to any specific, unauthorized use of the Social Security numbers nor did it otherwise note specific harms to the impacted consumer.

As part of the settlement, not only did the healthcare provider agree to pay a $575,000 penalty, but it also agreed to an implement a corrective action plan. Among other details, the plan requires the healthcare provider to conduct a risk analysis and report its finding to the NYAG. Further, it will review and revise its data security policies, and explain changes to those policies.

* * *

In civil cases stemming from data breaches, defendants can file a motion to dismiss for lack of standing if there is no harm to affected individuals (although such arguments have varying levels of success depending on where the suit is filed, as we have previously discussed here). In contrast, data security regulations and statutes often have no injury requirements and thus federal and state regulators with jurisdiction to enforce such provisions may do so, even in the absence of any harm to customers or others. These enforcement actions further highlight the need for companies to create, maintain and enforce data security policies both internally and with respect their third parties with access to company data and systems.

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

Francesco De Biasi’s practice primarily focuses on private enforcement and internal investigations of corporate wrongdoing, with a focus on the requirements under Legislative Decree 231/2001, as well as on corporate, civil, labor law and data protection matters related to white collar crimes.